Disclosure of Invention
The application aims to provide a remote offline real-time authorization method, device and storage medium for an access control system, which can perform real-time authorization under emergency situations or situations that a local backup server fails and authorization data of a remote server cannot be acquired.
In order to achieve the above purpose, the present application provides a remote offline real-time authorization method for an access control system, which acts on a server side and a user side, and comprises the following steps:
s1: initializing a key and a lock, wherein the initialization process comprises the steps of setting a system secret key, setting a basic secret key and setting an initial value of an index value;
s2: editing authorization data and corresponding hash abstract data according to an authorization request remotely applied by a user, obtaining an authorization code and returning the authorization code to the user, and inputting the authorization code into a key by the user;
s3: calculating a hash value according to the initialized basic key and index value initial value in the step S1 and the authorization code received in the step S2, and comparing the hash value with the hash abstract data in the step S2; and if the calculated hash value is the same as the hash abstract data, sending an unlocking instruction, otherwise, not sending the unlocking instruction.
In one embodiment of the present application, in step S1, the initialization process includes the following steps:
s101: setting a common communication secret key as a system secret key to be used as a secret key for encrypting communication;
s102: setting a basic key required by initializing a hash algorithm;
s103: setting an index value initial value required by a hash algorithm;
s104: the remainder of the initialization process is filled with all 0x00 or all 0xff bytes.
In one embodiment of the present application, the authorization code is formed by mixing the authorization data and 32 bytes of data from the front of the 32 bytes of data of the hash digest data together in a manner agreed by the server, the key and the lock.
In an embodiment of the present application, in step S3, a hash value is calculated using a standard hash algorithm or a custom hash algorithm.
In one embodiment of the present application, further comprising: the lock receives an unlocking instruction and executes an unlocking action;
wherein the lock and the key are in separate device forms or in integrated device forms;
when the lock and the key are in the form of separate devices, after the authorization code is input into the key, the key confirms whether the authorization data is legal and valid through the same process as in the step S3, and if the authorization data is legal and valid, the authorization data is converted into the format data defined in the lock; after establishing communication between the key and the lock, transmitting key data to the lock, and executing unlocking action after the lock is authenticated again;
when the lock and the key are in the form of integrated equipment, the authorization code is directly input into the integrated equipment, and the unlocking action is executed after the legal validity is confirmed
The application also provides a remote offline real-time authorization device of the access control system, which comprises an initialization module and an authorization module which are arranged at a server side, and a comparison module which is arranged at a user side;
the initialization module is used for initializing the key and the lock, and the initialization process comprises the steps of setting a system secret key, setting a basic secret key and setting an initial value of an index value;
the authorization module is used for editing authorization data and corresponding hash abstract data according to an authorization request remotely applied by a user, obtaining an authorization code and returning the authorization code to the user, and the user inputs the authorization code into a key;
the comparison module is used for calculating a hash value according to the initialized basic secret key, the initialized index value initial value and the received authorization code, and comparing the hash value with the hash abstract data in the step S2; and if the calculated hash value is the same as the hash abstract data, sending an unlocking instruction, otherwise, not sending the unlocking instruction.
In one embodiment of the present application, the authorization code is formed by mixing the authorization data and 32 bytes of data from the front of the 32 bytes of data of the hash digest data together in a manner agreed by the server, the key and the lock.
In one embodiment of the present application, the comparison module calculates the hash value using a standard hash algorithm or a custom hash algorithm.
In an embodiment of the application, the lock further comprises an unlocking module arranged on the lock and used for receiving the unlocking instruction sent by the comparison module and indicating the lock to execute the unlocking action;
wherein the lock and the key are in separate device forms or in integrated device forms;
when the lock and the key are in the form of separate devices, after the authorization code is input into the key, the key confirms whether the authorization data is legal and valid through the same process as in the step S3, and if the authorization data is legal and valid, the authorization data is converted into the format data defined in the lock; after establishing communication between the key and the lock, transmitting key data to the lock, and executing unlocking action after the lock is authenticated again;
when the lock and the key are in an integrated device form, the authorization code is directly input into the integrated device, and the unlocking action is executed after the legal validity is confirmed.
The application also provides a storage medium, on which a computer program is stored, which when being executed by a processor realizes the steps of the remote offline real-time authorization method according to the access control system.
Compared with the prior art, the remote offline real-time authorization method, the remote offline real-time authorization device and the storage medium of the access control system can be used as an authorization standby method for obtaining real-time authorization under the emergency situation or under the situation that the local backup server fails and cannot acquire the authorization data of the remote server; the method can also be used as a common normal authorization method, and saves the installation and configuration of the backup server.
Detailed Description
The following detailed description of embodiments of the application is, therefore, to be taken in conjunction with the accompanying drawings, and it is to be understood that the scope of the application is not limited to the specific embodiments.
Throughout the specification and claims, unless explicitly stated otherwise, the term "comprise" or variations thereof such as "comprises" or "comprising", etc. will be understood to include the stated element or component without excluding other elements or components.
As shown in fig. 1, a remote offline real-time authorization method for an access control system according to a preferred embodiment of the present application acts on a server side and a user side, and includes the following steps:
s1: the key and lock are initialized on the server, the initialization process comprises the steps of setting a system secret key, setting a basic secret key and setting an initial value of an index value, the set data are ordered according to a bit byte small end mode (the high byte of the data is stored in a high address of a memory, and the low byte of the data is stored in a low address of the memory), and the set data can also be ordered according to other set modes.
The key data needed by the hash algorithm comprises the key and the index initial value, authorization data and filling data (0 x00 or 0 xff), wherein only the authorization data is variable, and the rest data is respectively transmitted to the key and the lock by the server through encrypted communication in the initialization process. The hash algorithm may require a key length of 32 bytes or a multiple of 32 bytes.
Specifically, the initialization process includes the steps of:
s101: the common communication key is set as a system key to be used as a key for encrypting communication. The common communication key consists of a fixed string, and the same string data and string sequence are used at the server side, key and lock.
In the process of initializing communication, firstly, the fixed character string is used as a secret key to establish communication connection, then, after handshake is successful, the random number character string is used to regenerate the communication secret key, the communication secret key is respectively stored in memories of a server, a key and a lock, and is used as an encryption secret key in the normal use process, the encryption communication is that after the handshake in the initialization process or in the normal use process, secret key data and an index value initial value required by a hash algorithm are transmitted between the server and the key end or the lock, and encryption algorithms such as 3DES or AES128 or a custom encryption algorithm are adopted.
In the method of the application, the initialization process is assumed to be operated by a system administrator in a relatively safe environment, so that the encryption strength of the encrypted communication is not required to be too high, and the communication efficiency is biased.
S102: the basic key required to initialize the hash algorithm is set. The base key is generated from a random number whose byte length is selected according to the required encryption strength requirements.
S103: and setting an initial value of an index value required by the hash algorithm. The initial value of the index value is generated by a random number, and the byte length of the initial value is selected according to the required encryption strength requirement.
When the key format of the hash algorithm is externally ascertained, the length of the index value determines the strength of the hash algorithm, for example, the probability of single byte being cracked is 1/256, the probability of double byte being cracked is 1/65536, and so on, the probability of cracking is 1/2n (n is the bit length), the index bytes of the index value accumulate 1 after each use, starting from 0 if overflowed.
S104: the remainder of the initialization process is filled with all 0x00 or all 0xff bytes, as well as any bytes agreed upon for use by the server side, keys and locks.
S2: editing the authorization data and the corresponding hash abstract data according to the authorization request remotely applied by the user, obtaining the authorization code and returning the authorization code to the user, and inputting the authorization code into the key by the user. The authorization data is determined according to user-defined unlocking requirements, and comprises contents such as unlocking times, unlocking time range, allowable trial-and-error times and the like, but not limited.
Specifically, the user remotely applies for authorization at the client, namely, the user sends information such as a lock number, an unlocking requirement and the like to the server in a telephone or short message mode, the server edits authorization data and corresponding hash abstract data to acquire part or all of the data, an authorization code is obtained, the authorization code is transmitted to the user in a telephone or short message mode, and the user inputs the authorization code into a key.
The authorization code can be selected to have different lengths according to the encryption strength required by the user, and can be formed by mixing the authorization data and the data with the length of 32 bytes from the front among the 32 bytes of the hash digest data according to the agreed mode of the server, the key and the lock.
Wherein the encryption strength is equal to a binary exponent of the selected byte length.
S3: and (3) calculating a hash value according to the initialized basic key and index value initial value in the step (S1) and the authorization code received in the step (S2), comparing the hash value with the hash abstract data in the step (S2), and sending an unlocking instruction if the calculated hash value is the same as the hash abstract data, otherwise, not sending the unlocking instruction.
Specifically, after the key receives the authorization data or the lock device equipment receives the user input, a standard hash algorithm is used for calculating a hash value, and the hash value is compared with hash abstract data to confirm whether the authorization data is legal and effective.
When the user inputs the authorization data, adopting a limited number of trial-and-error protection algorithms, and locking the input within a period of time after exceeding the trial-and-error number so as to prevent the frequent input of the authorization code from cracking the authentication process.
The step S3 further comprises the following steps: the lock receives an unlocking instruction and performs an unlocking action.
The unlocking operation may be an actual door lock, an unlocking instruction, a logical unlocking level, or the like.
The lock may be in the form of a separate device from the lock and key, or may be in the form of a device in which the lock and key are integrated.
For the equipment combination form of the lock and the key, after the remote authorization code is input into the key, the legal validity of the authorization code is confirmed in the key through the same calculation process as in the step S3, and if the authorization code is legal validity, the authorization code is converted into the format data defined in the lock; and then after the communication is established between the key and the lock, the communication can be in a contact or wireless mode, key data is transmitted to the lock, namely, the communication process adopts a preset communication key to encrypt and then transmits the converted authorization code to the lock, and the lock performs unlocking action after authentication.
For the mode of equipment integrating lock and key, the authorization code is directly input into the equipment, and the unlocking action is executed after the legal validity is confirmed.
The application encrypts the authorization data through a hash algorithm, wherein the hash key comprises four parts, the first part is a basic key byte set by system initialization, the second part is an index byte increased after each use, the third part is an authorization data byte, the fourth part is a lock ID (lock number) byte, part or all of the obtained abstract data after hash calculation is transmitted to a user through telephone or short message, and the user inputs the authorization code into a lock device to execute unlocking action.
Compared with the prior art, the real-time authorization method provided by the application can reduce the installation and configuration of the local server, can be used as an authorization supplementing method in the original network authorization mode, and can still authorize and execute unlocking actions in real time under the condition of emergency or network failure.
As shown in fig. 2, a remote offline real-time authorization device for an access control system according to a preferred embodiment of the present application includes an initialization module 1 and an authorization module 2 disposed at a server side, and a comparison module 3 disposed at a user side.
The initialization module 1 is used for initializing keys and locks, and the initialization process comprises the steps of setting a system key, setting a basic key and setting an initial value of an index value. The data set above may be sorted by bit byte small end mode (high byte of data is stored in high address of memory, and low byte of data is stored in low address of memory), or may be sorted by other set modes.
The key data required by the hash algorithm comprises the set system key, the basic key, the set index value initial value, the authorization data and the filling data (0 x00 or 0 xff), wherein only the authorization data is variable, and the rest data are respectively transmitted to the key and the lock by the server through encryption communication in the initialization process. The hash algorithm may require a key length of 32 bytes or a multiple of 32 bytes.
Specifically, the initialization process includes the steps of:
s101: the common communication key is set as a system key to be used as a key for encrypting communication. The common communication key consists of a fixed string, and the same string data and string sequence are used at the server side, key and lock.
In the process of initializing communication, firstly, the fixed character string is used as a secret key to establish communication connection, then, after handshake is successful, the random number character string is used to regenerate the communication secret key, the communication secret key is respectively stored in memories of a server, a key and a lock, and is used as an encryption secret key in the normal use process, the encryption communication is that after the handshake in the initialization process or in the normal use process, secret key data and an index value initial value required by a hash algorithm are transmitted between the server and the key end or the lock, and encryption algorithms such as 3DES or AES128 or a custom encryption algorithm are adopted.
The device of the application assumes that the initialization process is operated by a system administrator in a relatively safe environment, so that the encryption strength of the encrypted communication is not required to be too high, and the communication efficiency is biased.
S102: the basic key required to initialize the hash algorithm is set. The base key is generated from a random number whose byte length is selected according to the required encryption strength requirements.
S103: and setting an initial value of an index value required by the hash algorithm. The initial value of the index value is generated by a random number, and the byte length of the initial value is selected according to the required encryption strength requirement.
When the key format of the hash algorithm is externally ascertained, the length of the index value determines the strength of the hash algorithm, for example, the probability of single byte being cracked is 1/256, the probability of double byte being cracked is 1/65536, and so on, the probability of cracking is 1/2n (n is the bit length), the index bytes of the index value accumulate 1 after each use, starting from 0 if overflowed.
S104: the remainder of the initialization process is filled with all 0x00 or all 0xff bytes, as well as any bytes agreed upon for use by the server side, keys and locks.
The authorization module 2 is configured to edit authorization data and corresponding hash digest data according to an authorization request remotely applied by a user, and send the authorization data and the hash digest data back to the user, where the user inputs the authorization data and the hash digest data into the key. The authorization data is determined according to user-defined unlocking requirements, and comprises contents such as unlocking times, unlocking time range, allowable trial-and-error times and the like, but not limited.
Specifically, the user remotely applies for authorization at the client, namely, the user sends information such as a lock number, an unlocking requirement and the like to the server in a telephone or short message mode, the server edits authorization data and corresponding hash abstract data to acquire part or all of the data, an authorization code is obtained, the authorization code is transmitted to the user in a telephone or short message mode, and the user inputs the authorization code into a key.
The authorization code can be selected to have different lengths according to the encryption strength required by the user, and can be formed by mixing the authorization data and the data with the length of 32 bytes from the front among the 32 bytes of the hash digest data according to the agreed mode of the server, the key and the lock.
Wherein the encryption strength is equal to a binary exponent of the selected byte length.
The comparison module 3 is used for calculating a hash value according to the initialized basic secret key, the initialized index value initial value and the received authorization code, and comparing the hash value with hash abstract data in the authorization module 2; and if the calculated hash value is the same as the hash abstract data, sending an unlocking instruction to the unlocking module 4, otherwise, not sending the unlocking instruction.
Specifically, after the key receives the authorization data or the lock device receives the user input, a standard hash algorithm or a custom hash algorithm is used for calculating a hash value, and the hash value is compared with hash abstract data to confirm whether the authorization data is legal and effective.
When the user inputs the authorization data, adopting a limited number of trial-and-error protection algorithms, and locking the input within a period of time after exceeding the trial-and-error number so as to prevent the frequent input of the authorization code from cracking the authentication process.
The remote offline real-time authorization device of the access control system further comprises an unlocking module 4 arranged on the lock equipment and used for receiving the unlocking instruction sent by the comparison module 3 and indicating the lock to execute unlocking action.
The unlocking operation may be an actual door lock, an unlocking instruction, a logical unlocking level, or the like.
The lock may be in the form of a separate device from the lock and key, or may be in the form of a device in which the lock and key are integrated.
For the separated equipment form of the lock and the key, after the remote authorization code is input into the key, the key confirms whether the authorization code is legal and valid through the same calculation process as that in the comparison module 3, and if the authorization code is legal and valid, the authorization code is converted into the format data defined in the lock; and then, establishing communication between the key and the lock, wherein the communication can be in a contact or wireless mode, transmitting key data to the lock, encrypting the key data by adopting a preset communication secret key in the communication process, transmitting the converted authorization code to lock equipment, and executing unlocking action after the lock is authenticated again.
For the mode of equipment integrating lock and key, the authorization code is directly input into the equipment, and the unlocking action is executed after the legal validity is confirmed.
Based on the same inventive concept, the application also provides a non-transitory computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the remote offline real-time authorization method of the access control system according to the above embodiment.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing descriptions of specific exemplary embodiments of the present application are presented for purposes of illustration and description. It is not intended to limit the application to the precise form disclosed, and obviously many modifications and variations are possible in light of the above teaching. The exemplary embodiments were chosen and described in order to explain the specific principles of the application and its practical application to thereby enable one skilled in the art to make and utilize the application in various exemplary embodiments and with various modifications as are suited to the particular use contemplated. It is intended that the scope of the application be defined by the claims and their equivalents.